Think GDPR Won’t Affect Your U.S. Company? Guess Again

When the EU General Data Protection Regulation (GDPR) deadline arrives in May, companies that handle information belonging to European Union residents will have to adhere to a strict new set of guidelines – regardless of whether the company is based within the EU or outside the 28 member countries.

This may be news for some: One in four U.S. cybersecurity professionals believe their firm won’t need to comply with GDPR, according to a recent survey. Organizations that fall under the GDPR mandate could be fined up to 4% of annual global turnover or €20 Million (whichever is greater) in the event of a breach. While this is a worst-case scenario, it should be enough to get the attention of most companies that do business with EU citizens.

Does your company need to comply?

It’s surprising that so many U.S. firms simply aren’t worried, as the GDPR represents a significant change in the way data must be handled.

An important change in the GDPR involves the geographic scope of this new law. To summarize: Article 3 of the GDPR says that if you collect personal data or behavioral information from someone in an EU country, your company is subject to the requirements of the GDPR.

Two points of clarification. First, the law only applies if the data subjects, as the GDPR refers to consumers, are in the EU when the data is collected. This makes sense: EU laws apply in the EU. For EU citizens outside the EU when the data is collected, the GDPR would not apply. Second, a financial transaction doesn’t have to take place for the extended scope of the law to kick in. If the organization just collects "personal data" – aka personally identifiable information (PII) -- as part of a marketing survey, for example, then the data would have to be protected GDPR-style.

What kinds of U.S.-based companies are likely to fall under the GDPR’s territorial scope?

U.S.-based hospitality, travel, software services and e-commerce companies will need to take a closer look at their online marketing practices. However, any U.S. company that has identified a market in an EU country and has localized online content should review their web operations.

U.S. companies without a physical presence in an EU country typically collect most of the personal data belonging to EU data subjects over the web. Are users in, say, Amsterdam who come across a U.S. website automatically protected by the GDPR? Here’s where the scope of requirements becomes a little more complicated: The organization would have to target a data subject in an EU country. Generic marketing doesn’t count.

For example, a Dutch user who searches the web and finds an English-language webpage written for U.S. consumers or B2B customers would not be covered under the GDPR. However, if the marketing is in the language of that country and there are references to EU users and customers, then the webpage would be considered targeted marketing and the GDPR will apply. Accepting currency of that country and having a domain suffix -- say a U.S. website that can be reached with a “.nl” from the Netherlands -- would certainly seal the case.

Do your GDPR “homework”

The best offense is a good defense. Companies that can show they essentially “did their homework” in following the GDPR requirements -- with the paperwork to back it up -- will be better off in the event of a violation where fines are involved. When the Article 40 “Codes of Conduct” -- allowing compliance to existing data security standards count towards GDPR -- are officially approved by the regulators, companies may receive “partial credit” for their compliance.

In short, Article 40 says that standards associations can submit their security controls, say PCI DSS, to the European Data Protection Board (EDPB) for approval. If a controller then follows an officially approved “code of conduct”, then this can dissuade the supervising authority from taking actions, including issuing fines, as long as the standards group — for example, the PCI Security Standards Council — has its own monitoring mechanism to check on compliance.

While we'll have to wait for more guidance, the point is that EU regulators will eventually let companies leverage their efforts (and investments) in meeting standards such as PCI DSS or ISO 27001 for GDPR compliance.

Take stock of your data

The GDPR also mandates "data minimization" -- not keeping data when it's no longer needed or even collecting it in the first place when it's not completely necessary for a business function. Most companies already have a policy for deleting "stale" data, though they may not follow through by applying those policies. GDPR says that this IT practice is not just a good idea, but the law!

So companies that proactively automate their retention and disposition policies for their files will be better prepared for compliance -- and they will also better protected from insider threats and cyber attacks.

Unfortunately, many organizations have lost track of where their most sensitive information lives and who has access to it – over 70% of folders we analyzed on corporate servers contained stale data and almost half had 1000 files with PII, credit card credentials, and other data on file servers accessible to everyone.

With just a few months left to go, 60% of cyber security professionals in the EU and 50% of respondents in the U.S. say they face some serious challenges in being compliant with the GDPR by the May deadline.

Organizations are running out of time to take stock of how exposed their data is to attack. Now is the time to reduce your risk profile by locking down sensitive data, removing users that no longer need access, and deleting or archiving stale data – plan to maintain a least-privilege model to keep data secure.

Ignorance is not bliss when it comes to the GDPR, and organizations that have fallen behind in their preparations must ramp up their compliance activities or they could take a serious financial hit once the regulations take effect. Start taking control now.

About the author: Ken Spinner joined Varonis in 2006 and leads all technical pre- and post- sales engineering activities for Varonis customers worldwide. Ken’s career spans 30 years with organizations ranging from startups to Fortune 500 industry leaders. Prior to Varonis, Ken held leadership and senior engineering roles at Neoteris, Netscreen, Juniper Networks, BlueCoat Systems and Merck.

The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.